GDPR, NIS 2 and DORA risks from a geography perspective: how to deal with data travel between continents?

GDPR, NIS 2 and DORA risks from a geography perspective| ORBIT Cloud Encyclopedia
Source: Free Photo | Binary world map blue graphics concept (freepik.com)

The European Commission's third attempt to facilitate the transfer of personal data from the EU to the US has brought great relief to all those who use global cloud providers. Everything is easy for the US, but not for other countries. How much of a role will geography play in NIS 2 and DORA, under which financial institutions will have to carefully evaluate which country a supplier operates in?

Jan Kubicek

First, let's look at the biggest change with GDPR. Then we'll look at what's in store for us under NIS 2 and DORA.

GDPR risks: we have a transatlantic data protection framework for the US

By July 2023, compliance professionals, risk managers and business owners could breathe a sigh of relief: using cloud services from U.S. vendors is thanks to a decision of the European Commission (so-called. adequacy decision or the decision on adequate protection) a little easier again.

Personal data is no longer a problemwhich was not the case until recently (as you can recall here). What does this mean for us? And does it still make sense to enter into Standard Contractual Clauses (SCCs) under the GDPR? 

Obligation assess the legal environment and the behaviour of public authorities in foreign jurisdictions (i.e. the need to draw up Transfer Impact Assessment, TIA) was one of the big headaches of the GDPR. This is because large IT service providers often require in their contracts that they can use (sub)suppliers from other countries.

The European Commission's decision has simplified the situation considerably for US (sub)suppliers. It will be easiest for those who are certified under the DFP (EU-US Data Privacy Framework).

American flag as a symbol for adequacy decision | ORBIT Cloud Encyclopedia
From July 2023, personal data can flow easily between the US and the EU.
Source: Free Photo | Businessman behind european and american flags (freepik.com)

But beware of transferring personal data to other countries outside the U.S. - large providers like to South America, India, China etc.

Key obligations when transferring personal data outside the EEA

If you use a supplier or subcontractor from outside the EEA, in addition to the standard GDPR obligations, you must:

  1. develop a Transfer Impact Assessment (TIA) - i.e. an assessment of the legal system and the practice of public authorities (how much it compromises the personal data you transmit to the country),
  2. introduce and assess complementary measures - i.e. strong encryption, properly set up access to the encryption key, or a proxy server for Google Analytics, etc.

So what is the current situation regarding the transfer of personal data to the US?

Following the conclusion of the US-EU agreement, the European Commission has included by its decision of 10 July 2023 USA between countries with an adequate level of data protection.

How has the US legal system changed?

For example, there is a new mechanism for Czech and other EEC citizens to assert your rights under the GDPR (right to erasure, correction, access to processed data, etc.). There have also been changes to the powers that public authorities can exercise request the release of data from the supplier. These arrangements have been assessed by the European Commission as sufficient to safeguard rights.

In the US today, there are two groups of processors/importers of personal data from the EU: those certified under the DPF and those not certified under the DPF:

1) Suppliers certified under DFP

You may transfer personal data to these companies without using the transfer tool under Article 46 of the GDPR (typically standard contractual clauses of the SCC or BCRs).

You no longer have to assess the legal environment and the practice of the authorities (TIA) or to introduce additional measures (which has so far been necessary to keep personal data out of the hands of US public authorities).

You can easily transfer personal data to a certified supplier from the moment it is listed on the list of the data protection framework. On the list you will find, for example. Google LLC or Microsoft Corporation, on the other hand. Oracle Corporation is still not on it in October 2023.

2) Suppliers not certified under the DFP

In this case, the processing of personal data remains as problematic as before.

Bad news: you must still choose a transfer tool (typically SSC) to fulfill all administrator responsibilities. You should also perform a TIA and put sufficient additional measures in place.

Good newsA: TIA will be simple. In fact, you can refer to the European Commission's decision, which judges the rules newly introduced into US law to be sufficient. These rules apply to both certified and non-certified suppliers. Therefore, you do not even need additional measures (encryption, appropriate management of encryption keys, etc.).

This possibility has been pointed out, for example, by the Swiss expert David Rosenthal and agrees and EDPB.

Newly available axle mechanism

With the issuance of the Adequate Protection Decision for the U.S., the axle mechanism under U.S. Executive Order 14086 newly available to citizens of all EEC countries (i.e. EU + 3 other countries). This improves their position in case they want to file a complaint for violation of rights by the US security authorities.

International Trade Administration and U.S. Department of Commerce logos | ORBIT Cloud Encyclopedia
International Trade Administration and the U.S. Department of Commerce, the two organizations involved in the operation of the DPF.

One last complication remains: subcontractors from third countries

If a U.S. supplier uses subcontractors (in GDPR parlance, "sub-processors") from countries outside the EEC for which no Adequacy decision, you should again develop a TIA and introduce sufficient complementary measures. For every additional transfer, the result is You answer Youbecause you have "set personal data in motion" and sent it outside the EU in the first step.

Can a supplier lose certification?

Yes. A certified supplier may voluntarily withdraw from certification, may choose not to renew registration the following year... and may also be struck off if they commit misconduct. So you'd better arrange and Standard Contractual Clauses (SCC)that would cover the transfer of data in the event that a supplier suddenly does not have certification.

Legal Window - Evaluation of the US legal framework

The key passage of the whole decision found in paragraph 200, where it says: "It follows from the above that when U.S. law enforcement and national security authorities access personal data falling within the scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued. These safeguards can be invoked by individuals who enjoy effective redress rights."

Thus, access to personal data by public authorities in the US is limited to what is necessary and reasonable. And the data subject has access to an effective redress mechanism.

Schrems III? Or a look into the future

The NGO NOYB (founded by the well-known activist Max Schrems) has decided to put the European Commission's decision to the test at the EU Court of Justice. It has reservations about the substantive changes compared to the previous solution (Privacy Shield, which was annulled by the Schrems II decision).

So it's possible that within a few years, the verdict will come down "Schrems III"which will make the transfer of personal data to the US more difficult. Until then, however, it is possible transfer personal data to the US in full compliance with the GDPR.

There is another reason for optimism: it is possible that over the next few years cloud providers will complete the more secure solutions they are already working on today, such as:

  • confidential computing,
  • sovereignty controls,
  • establishing cooperation with European IT service providers.

This would lead to opportunities to be "easily and quickly" compliant with the GDPR even after a possible repeal Adequacy decision.

Geographical risks of NIS 2 and the draft new law on cyber security

The conduct of public authorities in different countries is also addressed in the proposal Decree on supplier risk criteriawhich is one of the decrees implementing the new law on cyber security. In order to be in touch with NIS 2 compliant, you will need to assess the supplier's risks and the impact they will have:

  • the country of residence and the country from which the supplier is managed,
  • the country of residence of the beneficial owner and, where applicable, the person who controls the supplier,
  • a country that can influence or put pressure on the supplier.

You will also need to take into account international sanctions imposed, activities of the secret services or the absence of a separation of powers or a democratic regime. Whether the country in question operates against the interests of the Czech Republic. So we get into the political and geopolitical levels.

DORA risks: geography again

of the proposal of one of the RTS (regulatory technical standards) supplementing DORA Regulation details are prescribed regarding register of ICT service providers in the financial sector. Such a register will be used by the supervisory authorities (ESAs) to monitor the concentration risk of suppliers. Banks and others will thus have to register, for example:

  • the country where the provider is based,
  • the country where the ultimate parent company of the provider is based,
  • the country from which the ICT services are provided,
  • the country where the data is stored (data at rest),
  • the country where the data is processed,
  • the country where the alternative provider is based (finding an alternative provider will be part of the exit strategy for critical or important functions).

The country in which the supplier operates and where it processes and stores data will then also need to be considered by the institution in its strategy for using ICT suppliers for services supporting a critical or important function. And this geographical consideration will also play a role in due diligence of the new provider - in particular for the assessment of operational risks, reputational risks and the risk that the provision of the service will preclude the imposition of sanctions.

Summary: GDPR, NIS 2 and DORA risks from a geography perspective

DORA risks, NIS 2 risks a GDPR risks: these (not only) banking regulations are linked, among others, by the obligation to think about the geographical location from where the supplier provides its services. For GDPR, we found it helpful adequacy decision for the US, but for NIS 2 and DORA the banks there will be new responsibilities.

National borders continue to play a large role in regulation. Adequacy decision while facilitating the use of U.S. suppliers, for other non-EU/EEA countries, however, nothing changes. In addition to the GDPR, NIS 2 and DORA introduce new requirements regarding the country of origin and location of the supplier.

About the author
Jan Kubicek
Jan Kubicek

Legal IT Consultant | LinkedIn

Jan will support you wherever compliance is concerned. He has a legal background (regulatory, compliance and data protection in banking). He often scrutinises contracts to ensure that the numerous regulatory requirements are met. When analyzing contracts, he likes to anticipate what could happen... and figure out how to treat potential risks.